veracode static scan
Runs a Veracode Static Analysis scan and outputs any flaws found as a JSON file. This command returns exit code 3 if any flaws are found matching the specified criteria.
This command does not initiate a Static Analysis (SAST) scan (Upload and Scan) in the Veracode Platform. It runs a Static Analysis using Pipeline Scan. To integrate Static Analysis scans in the Veracode Platform using the API wrapper, see uploadandscan
.
Usage
veracode static scan <file_path> [flags]
Arguments
Argument | Description |
---|---|
file_path | Location of the package file that contains your application source code. Ensure the file meets the packaging requirements. |
Flags
General
Flags available on all commands.
Flag | Description |
---|---|
-h, --help | Displays help for this command. |
-v, --verbose | Displays detailed output. |
Analytics
Optional flags for querying runs with Veracode Analytics.
Flag | Description |
---|---|
--app-id | Application profile ID for the application you want to upload and scan. |
--development-stage | Specifies the development stage when the scan runs. Values are case-sensitive: Development , Testing , and Release . |
--project-name | Name of the CI/CD repository running a scan. This flag adds the repository name to the scan results, which can help track scans across repositories. |
--project-ref | Source control reference, revision, or branch of the CI/CD repository running a scan. |
--project-url | URL of the CI/CD repository running a scan. |
GitLab
Optional flags for specific behavior to improve integration with GitLab.
Flag | Description |
---|---|
--gl-issue-generation | Enter true to create GitLab issues from discovered flaws. Default is false . Before you can use this flag, you must configure GitLab. |
--gl-vulnerability-generation | Enter true to create a JSON file from the scan results. GitLab imports flaws from this JSON file as vulnerabilities. Default is false . To use this flag, you must define the paths and reports settings in the GitLab CI. |
Policy and output
Optional flags to control the output or application of policy.
Flag | Description |
---|---|
--baseline-file | Location of a JSON file with results from a previous scan. Default filename is results.json . To create a baseline file, include --results-file . The new results only include flaws not listed in the baseline file. |
--fail-on-cwe | Comma-separated list of CWE IDs. The scan results only include flaws of the specified CWEs. |
--fail-on-severity | Comma-separated list of severities. The results only include flaws of the specified severities. By default, all severities are included. Values are Very High , High , Medium , Low , and Very Low . |
--policy-file | Name of a local policy file you want to apply to the scan results. To download a policy, use the policy command. |
--results-file | Filename or location to save the scan results as a JSON file. By default, the results are saved to ./results.json . |
--summary-output | Filename or location to save the scan results as a human-readable file. This file is not saved by default. |
Scanning
Optional flag to control the scope of analysis.
Flag | Description |
---|---|
--include | Enter a case-sensitive, comma-separated list of name patterns to specify the modules to scan as top-level modules. Veracode identifies these modules during prescan. The * wildcard matches zero or more characters, and the ? wildcard matches exactly one character. For example, to include various module names that contain module : --include "module 1, module-*, module2.jar" The scan results list the top-level modules that Veracode identified, along with all modules included in the scan. You can filter only by top-level modules. This flag does not pause, stop, or otherwise affect your pipeline’s performance. |
Examples
To scan a Java JAR file and output flaws to results.json
, run:
veracode static scan my_java_application/build/project.jar
To scan a Python ZIP file and filter the results by severity and CWE ID, run:
veracode static scan my-python-project.zip --fail-on-cwe "89,117" --fail-on-severity "Very High, High"
To scan a Java class file but only include results not included in a baseline file, run:
veracode static scan my_java_application/build/IgnoreCommand.class --baseline-file "baseline-results.json"
To create a baseline file and use it in a subsequent scan, run:
veracode static scan example.jar --results-file "baseline.json"
veracode static scan example.jar --baseline-file "baseline.json"
To scan a Python ZIP file and apply policy Veracode Recommended High, run:
veracode static scan my-python-project.zip --policy-file "Veracode Recommended High.json"